Concerned About Your Business Cyber Security?

(877) 321--7374

Obfuscating without XOR, (Thu, Jun 22nd)

Malicious files are generated and spread over the wild Internet daily (read: hourly). The goal of the attackers is to use files that are:

  • not know by signature-based solutions
  • not easy to read for the human eye

Thats why many obfuscation techniques existto lure automated tools and security analysts. In most cases, its just a question of time to decode the obfuscated data. A classic technique is to use the XOR cypher[1]. This is definitively not a new technique(see a previous diary[2] from 2012) but it still heavily used. And many tools can automate the search for XORd string. Viper, the binary analysis and management framework, is a good example. It can scan for XOR padding:5px 10px”>
viper tmpnYaBJs xor -a
[*] Searching for the following strings:
– This Program
– GetSystemDirectory
– CreateFile
– IsBadReadPtr
– IsBadWritePtrGetProcAddress
– LoadLibrary
– WinExec
– CreateFileShellExecute
– CloseHandle
– UrlDownloadToFile
– GetTempPath
– ReadFile
– WriteFile
– SetFilePointer
– GetProcAddr
– VirtualAlloc
– http
[*] Hold on, this might take a while…
[*] Searching XOR
[!] Matched: http with key: 0x74
[*] Searching ROT
viper tmpnYaBJs padding:5px 10px”>
var bcacfdfaebbbfDeck = new ActiveXObject(dbdbfaeefccaee(+L+^%^LK%,LpL(KeL^%z%+%u%u

I took some time to check how the obfuscation was performed. How does it work?

The position of each character is searched in the $data variable and decreased by one. Then the character at this position is returned to build a string of hexcodes. Finally, the hex codes are converted into the final string. Example with the two first characters of the example above:

$data =SYOm7L-3^ojXtMA2Kbk_FN)GB.$1PJgR

  • + is located at pos 20, search the character at position 19 (20 – 1): 5
  • L is located at pos 5, search the character at position 4 (5 – 1): 7
  • 57 is the hex code for W padding:5px 10px”>
    // Convert a string from hex chars to string.
    // In: 575363726970742E7368656C6C
    // Out:
    var bufferout = i

    // Convert the obfuscate string by shifting by 1 char
    function deobfuscate(string,step){
    var data = SYOm7L-3^ojXtMA2Kbk_FN)GB.$1PJgR
    var bufferout = i
    if (p2 padding:5px 10px”>
    var s = deobfuscate(%zL(L(Lp^2KNKN^P^z^+Ke^P^+^(Ke^+^KKe^P^p^PKN%u%N%L%NKe%,%0%L padding:5px 10px”>

    And when you understand how to deobfuscate, it padding:5px 10px”>
    function obfuscate(string,step){
    var data = SYOm7L-3^ojXtMA2Kbk_FN)GB.$1PJgR
    var bufferout = i j
    if (p2
    if (p2==l2)
    padding:5px 10px”>
    var foo = obfuscate( padding:5px 10px”>

    Of course, the method analyzedhere is a one shot! The number of ways to obfuscate data is unlimited…


    Xavier Mertens (@xme)
    ISC Handler – Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Ready For ASuperheroI.T. Solution?

Real Time Web Analytics